Difference Between "FSSO Agent on Windows AD" and "LDAP Servers" Configuration in FortiGate

fsso: the ip x.x.x.x is user first.last

ldap: i know the user for the ip x.x.x.x, is first.last. i know the groups of the user first.last

policy:  i can apply policy to ip x.x.x.x based on the knowledge that ip x.x.x.x is first.last and is a member of group x

Hi Willy

What is the functional difference between these two configurations? & What is each option specifically used for?
--- When we talk in firewall policy scope, FSSO Agent is used for passive authentication, where FGT relies on auth events from DC security logs to have the user-ip associations. On the other hand the LDAP server conf on FGT can be used in active authentication to authenticate users in active portal to get the user-IP associations.

Is it necessary to configure both for identity-based policies? & In which scenarios would LDAP configuration still be required if FSSO is already working?
--- Necessary only if you set the configured LDAP server as "user group source" in the FGT FSSO connector. That means the groups used in firewall policies are the ones defined in the LDAP server conf, while the user-IP associations are provided by the FSSO agent. Note that the recommendation is to set the FSSO agent as the user group source.

While FSSO agent is still used, the modern recommendations are the following, because more robust/reliable/secure:

• SSO mobility agent (if you have EMS & FAC)
• ZTNA tags (if you have EMS)
• NAC agent and tags (if you have FortiNAC)

Hi Willy007,

LDAP is an active authentication method, so user would be prompted for username and password. 

FSSO is a passive authentication method. User logs into his PC. a logon event is generated which in turn is fetched by the FSSO collector agent (agent based) and pushed to FortiGate. FortiGate would have the user info pushed from collector agent, so user won't be prompted for credentials.

FSSO: FSSO | FortiGate / FortiOS 8.0.0 | Fortinet Document Library

Hi willy007,
 

FSSO and LDAP serve different functions within FortiGate and are typically deployed together in enterprise Active Directory environments. FSSO is primarily responsible for transparent user identification by learning User ↔ IP mappings from AD logon events, allowing identity-based policies and user visibility in logs without requiring additional authentication prompts. LDAP, however, is used for direct authentication and directory queries, including username/password validation and AD group membership retrieval for services such as SSL VPN, captive portal, administrator authentication, and other explicit authentication workflows.
 

If the requirement is limited to transparent LAN identity policies and user logging, FSSO alone may be sufficient. However, LDAP integration is still considered best practice for reliable group resolution, nested group handling, and all authentication-related services. Therefore, in most production deployments, both FSSO and LDAP are configured together as complementary identity services.
 

Reference Links:
https://community.fortinet.com/fortigate-3/technical-note-user-based-authentication-on-fsso-using-ldap-and-fsso-agent-on-advanced-mode-99655
https://community.fortinet.com/fortigate-3/technical-tip-alternative-ldap-settings-for-fsso-collector-agent-96593
 

If you have found a solution, please like and accept it to make it easily accessible to others.
 

Regards,
Aman

Hi ​@willy007 ,

FSSO (Fortinet Single Sign-On) and LDAP Server integration both connect FortiGate to Active Directory, but they serve different purposes in user identification and authentication workflows. LDAP is an active auth whereas FSSO in passive auth.

FSSO – Transparent User Identification
FSSO provides automatic, transparent user recognition based on Windows logon events without prompting users for credentials.

How it works: The FSSO DC Agents on your domain controllers monitor login events and send user–IP mappings to the FSSO Collector Agent. FortiGate receives these mappings and applies identity-based policies automatically.
Use case: Best when you need seamless user-based access control for internal users without manual login prompts.
Key advantage: Transparent authentication—users are recognized immediately after logging into their Windows session

LDAP – Direct Authentication and Group Querying
LDAP integration allows FortiGate to communicate directly with Active Directory to validate credentials and retrieve user group membership.

How it works: FortiGate connects (binds) over LDAP or LDAPS to an AD server, verifies credentials supplied by a user, and reads group membership information.
Use case: Required for authentication processes that involve user interaction—like SSL VPN login, captive portals, or admin logins.
Key advantage: Enables FortiGate to directly verify user credentials and check AD groups on demand.

The above statement answer your 1st and 2nd question.

Is it necessary to configure both for identity-based policies?
Not needed.

In which scenarios would LDAP configuration still be required if FSSO is already working?
Advanced Mode FSSO: Requires an LDAP server for detailed group lookups from AD.
Explicit Authentication Use Cases: VPN or Captive Portal users must be validated through LDAP.
 

Hello ​@willy007 

• FSSO Agent on Windows AD = used for transparent Single Sign-On (SSO).
  The Fortinet Single Sign-On (FSSO) Collector Agent monitors Windows logon events from Domain Controllers and sends user/IP/group information to the FortiGate automatically. Users do not need to re-enter credentials.
  https://docs.fortinet.com/document/%20fortigate/6.0.0/handbook/482937/agent-based-fsso
   
  • LDAP Server configuration in FortiGate = used for direct LDAP authentication and/or AD group lookup.
    FortiGate queries Active Directory through LDAP to retrieve users/groups or authenticate credentials directly.
    https://docs.fortinet.com/document/fortigate/7.6.6/administration-guide/102264/configuring-an-ldap-server
     

    Feature	FSSO Agent	LDAP Server
    Authentication Style	Transparent SSO	Credential-Based
    Authentication type	Passive	Active
    Reads Windows Logon events	Yes	No
    Retrieves AD groups	Yes / via LDAP in advanced mode	Yes
    Used for firewall identity policies	Yes	Yes
    Needs collector agent	Yes	No

    
    
    Regards, 
    
    Sheikh

Hi sir

The unique reason for this question is resolve logs in “Forward traffic”, I want to see all info user and IP to audit and reports

Hi ​@willy007

The chart is above clear regarding active and passive authentication and identification.

For example, use FSSO group for your firewall policy as FSSO agent will fetch groups from AD dynamically. In addition, you will see and control client IP address as source in firewall policies. It will give granular control on your firewall policies having username and IP combinations.

On the other hand, as mentioned above, use LDAP for identity check for captive portal, IPSec remote Access etc. Thanks